Re: Guide! Help! Using guix, or GNU/Linux, for secrecy, privacy.

[zimoun]

Hi,

On Thu, 05 Nov 2020 at 20:14, Aniket Patil <aniket112.patil@gmail.com> wrote:

> reliable either. Recently, I read zimouns vlog
>
> " right, Google is evil, but the storage and the search features are really
> useful. So, I am thinking to switch to notmuch <https://notmuchmail.org/>,
> but not enough time to configure it, yet. "

Is me that wrote this?  Where?  And when?


> So, is notmuch is reliable?
>
> I get paranoid after reading RMS, or Snowden. I think a lot about my
> privacy and others as well. Hence I am asking this, and participating in
> GNU projects and Free Software Projects. So coming to the point.
>
> How to or which email client shall I use or email service?
>
> Recently I was browsing on TOR but I guess even TOR exposes my IP address
> on internet. So shall I use it with VPN? If So which VPN? I know about
> WireGuard but it has GPL2 license not GPL3.
>
> What else can I do to secure myself?

Really opinionated reply; Friday’s troll! ;-)


I am not sure to understand the question: against what you want to be
secure.

As you see, I am still using Gmail.  Most of the time, I compose emails
using Emacs.  Sometimes, I reply using their web interface.  Most of the
time, I read and search emails via Notmuch (+Emacs frontend), and
sometimes via the web interface.  Whatever.

I try to replace the web interface facilities.  However my emails are
still stored on the Google infrastructure.  And somehow, 50% of all our
emails are stored by Google.  (This one is! because of your and my gmail
addresses.)

https://mako.cc/copyrighteous/google-has-most-of-my-email-because-it-has-all-of-yours

And even, it is a public mailing list, therefore data are on the Google
infrastructure.  And even if it is not a public mailing list but an
encrypted email, then it is almost sure that Google will get the
metadata around––which are clear.  Snowden explains clearly that:
metadata is one of the key.

Replace Google by whatever is scaring.

If you use another email service, you have to trust this service.  For
example, I have a Proton email account but I have no proof that they are
really doing what they claim to do; since all their code is not “open“.
And even the code would be “open“, I have no proof that the binary they
run corresponds to the code.  Well, the only way is to run your own
service.  But even with that, you are not protected against the 2
previous collects.

About privacy, the emails are doomed.  Period.

And I am not speaking about how to trust the binaries we use.  For
example, Pandoc is not secure since the Haskell compiler GHC is not
bootstrappable.  Another example is the Nyxt webbrowser because of the
Common Lisp SBCL reproducibility issue.  Emacs is not reproducible
neither.  Zillions of other example are around… I am not talking about
how to trust the binaries running TOR or VPN or whatever service.  And
last, how to trust the hardware?

Well, the question you have to answer first is: against what you want to
protect.

If you are paranoid, then you should be unplugged.  Else, you have to
first define what is your personal policy and what is the one of the
people you interact with.


Hope that helps,
simon

ps:
As Joshua wrote, these questions are better on help-guix@gnu.org. :-)